5 Answers
5

In a properly designed application the backend and frontend are disconnected.
The backend security system can't assume any specific frontend will correctly handle security, so it has to handle it itself.

@Codism - He did answer it. B/c you cannot assume anything. You do the authorization check at the method level b/c regardless of how someone got there, you need to ensure they have the proper rights.
–
Joseph LustOct 25 '12 at 15:21

@JosephLust: the answer and your comment can be applied to any security system at any different level. The original question was specifically asking why at method level.
–
CodismOct 25 '12 at 17:05

Because it is the lowest available level and readily applied seemlessly using AOP or AspectJ. I don't believe this applies to all other security implementations.
–
Joseph LustOct 25 '12 at 21:07

I assume you are talking about role based access to actions in a controller. I.e. in an MVC architecture each method on a Controller class is a separate action. Most MVC frameworks I've used allow me to assign privileges at both the method level and the class level. That would mean I can apply an attribute/annotation at the class level and the corresponding role would be required for every action in that controller.

In respects to more fine grained control for role based access consider this:

It's convenient to group all actions around a resource together. I.e. your Create/Read/Update/Delete (CRUD) actions for articles, accounts, etc. This makes REST style APIs easier to write and maintain.

Many systems have different credentials/roles required for Create/Update/Delete actions than they do for Read actions.

If all user account actions are in one controller, you want to allow anyone to log in, but only certain people to create new accounts or assign roles.

Like it or not, when Ruby on Rails hit the airwaves a few years ago, just about every MVC framework copied its fundamental design approach. It used to be that actions were separate classes, but action logic tends to be small and focused so a full class overhead is overkill. Mapping a method on a controller to the action for a page actually made a lot of sense. Just know that many people need fine-grained control over which roles can perform what functions.

in cases where it's more convenient or logical to have permissions in method level
consider a case where different users can perform the same "direct" actions (so client security isn't relevant). but in some cases their action may trigger a behavior you wish to limit - in this case method level security may be a relevant solution.

I presume that you are talking about public, private and protected methods here?

If so, then they don't exist for the purpose of security. They exist for the purpose of making it easier o guarantee that software is properly modularized. (Whether they succeed in that is a debate I'll leave for others. That is, however, the vision of what they are for.)

Suppose that I deliver a library, then I am free to later deliver a different version of the library and change stuff marked as private as much as I want to. By contrast if I had not marked that stuff private, then I would be unable to change any internals of my software because someone, somewhere, is probably accessing it directly. Sure, in theory it is their fault for not using the documented API. But the client will perceive it as my fault that my software upgrade broke their software. They don't want excuses, they want it fixed. But if I don't let them have access to begin with, then my API is exactly the public methods that I intended to be my API and the problem is avoided.

The second most likely thing that you could be talking about is Java's security model. If you're talking about that, then the reason that it exists was that the original vision for Java involved people sending possibly untrusted applets to work interactively inside of third party programs (eg browsers). Therefore the security model was meant to give users some protection against malicious applets. Therefore the security threat to worry about and protect against is untrusted applets trying to interact with other software that might be loaded.

Mike Wiesner reminded in this SpringSource presentation, Introduction to Spring Security 3/3.1, brought the example that Tomcat, and many other Servlets containers had a bug that failed to properly recognize "../", when encoded in unicode, in a way that a simple equals test would fail in Java, but would translate to the upper directory in the filesystem.

Security is hard, multiple levels of security, will improve the chances to block circumvention attempts. Since method level security is directly coded inside the class, after the AOP augmentation, when you call the method, you'll always call the security check before.